[Security] Bump qs from 0.6.6 to 6.10.0 #174

dependabot-preview · 2021-03-19T00:18:59Z

Bumps qs from 0.6.6 to 6.10.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

NPM qs is vulnerable to DoS the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Affected versions: < 6.0.4

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects qs The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Affected versions: < 1.0.0

Sourced from The Node Security Working Group.

Denial-of-Service Memory Exhaustion The qs module has the ability to create sparse arrays during parsing. By specifying a high index it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash.

Affected versions: <1.0.0

Sourced from The Node Security Working Group.

Denial-of-Service Extended Event Loop Blocking The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Affected versions: <1.0.0

Changelog

Sourced from qs's changelog.

6.10.0

[New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)

[New] parse: add allowSparse option for collapsing arrays with missing indices (#312)

[meta] fix README.md (#399)

[meta] only run npm run dist in publish, not install

[Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape

[Tests] fix tests on node v0.6

[Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run

[Tests] Revert "[meta] ignore eclint transitive audit warning"

6.9.6

[Fix] restore dist dir; mistakenly removed in d4f6c32

6.9.5

[Fix] stringify: do not encode parens for RFC1738

[Fix] stringify: fix arrayFormat comma with empty array/objects (#350)

[Refactor] format: remove util.assign call

[meta] add "Allow Edits" workflow; update rebase workflow

[actions] switch Automatic Rebase workflow to pull_request_target event

[Tests] stringify: add tests for #378

[Tests] migrate tests to Github Actions

[Tests] run nyc on all tests; use tape runner

[Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

6.9.4

[Fix] stringify: when arrayFormat is comma, respect serializeDate (#364)

[Refactor] stringify: reduce branching (part of #350)

[Refactor] move maybeMap to utils

[Dev Deps] update browserify, tape

6.9.3

[Fix] proper comma parsing of URL-encoded commas (#361)

[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

6.9.2

[Fix] parse: Fix parsing array from object with comma true (#359)

[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)

[meta] ignore eclint transitive audit warning

[meta] fix indentation in package.json

[meta] add tidelift marketing copy

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, has-symbols, tape, mkdirp, iconv-lite

[actions] add automatic rebasing / merge commit blocking

6.9.1

[Fix] parse: with comma true, handle field that holds an array of arrays (#335)

[Fix] parse: with comma true, do not split non-string values (#334)

[meta] add funding field

[Dev Deps] update eslint, @ljharb/eslint-config

[Tests] use shared travis-ci config

... (truncated)

Commits

See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for qs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Pull request limits (per update run and/or open at any time)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Bumps [qs](https://github.com/ljharb/qs) from 0.6.6 to 6.10.0. **This update includes security fixes.** - [Release notes](https://github.com/ljharb/qs/releases) - [Changelog](https://github.com/ljharb/qs/blob/master/CHANGELOG.md) - [Commits](https://github.com/ljharb/qs/commits/v6.10.0) Signed-off-by: dependabot-preview[bot] <[email protected]>

dependabot-preview · 2021-03-23T00:16:22Z

Superseded by #176.

dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Mar 19, 2021

dependabot-preview bot mentioned this pull request Mar 19, 2021

[Security] Bump qs from 0.6.6 to 6.9.6 #157

Closed

dependabot-preview bot closed this Mar 23, 2021

dependabot-preview bot deleted the dependabot/npm_and_yarn/qs-6.10.0 branch March 23, 2021 00:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security] Bump qs from 0.6.6 to 6.10.0 #174

[Security] Bump qs from 0.6.6 to 6.10.0 #174

Uh oh!

dependabot-preview bot commented Mar 19, 2021

Uh oh!

dependabot-preview bot commented Mar 23, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

[Security] Bump qs from 0.6.6 to 6.10.0 #174

[Security] Bump qs from 0.6.6 to 6.10.0 #174

Uh oh!

Conversation

dependabot-preview bot commented Mar 19, 2021

6.10.0

6.9.6

6.9.5

6.9.4

6.9.3

6.9.2

6.9.1

Uh oh!

dependabot-preview bot commented Mar 23, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants